├── readme.md
└── tap


/readme.md:
--------------------------------------------------------------------------------
 1 | # curl-tap-sh
 2 | 
 3 | So, the internet seems to have a lot of software with the installation method
 4 | being in the infamous `curl .. | sh` format. People don't like this because
 5 | what `curl` downloads might have been messed with by someone in between
 6 | depending on the specifics. But people still use this method because it is
 7 | convenient.
 8 | 
 9 | Awal is here to present a solution. Included in this repo is a script,
10 | which you can put in your `$PATH` by the name `tap`. And now whenever you
11 | are about to run:
12 | 
13 | ```sh
14 | curl foo/bar | sh
15 | ```
16 | 
17 | Simply run the following instead:
18 | 
19 | ```sh
20 | curl foo/bar | tap | sh
21 | ```
22 | 
23 | `tap` will first collect all the data from curl, save it to a temp file,
24 | open that file in your `$EDITOR` (or `vim` if not specified), and you can
25 | review it. You can make changes to it if you want. If you write the file
26 | and close the editor successfully (i.e., the editor returns exit code 0),
27 | then `tap` sends the saved output (including your edits, if any) along the
28 | pipe. Else it doesn't (so you can exit with `:cq` in vim if you don't want
29 | to run the script after reviewing). This also shields against a timing
30 | attack which [detects `curl | sh` server-side][1].
31 | 
32 | Ofcourse, `tap` deletes the temporary file after this :)
33 | 
34 | ## Other Stuff
35 | 
36 | There is also `vipe` from the excellent [moreutils][2] toolkit, written as
37 | a perl script. It does pretty much the same thing.
38 | 
39 | There is [hashpipe][3], written in Go, which verifies stdin based on a
40 | checksum passed to it. This is a pretty good idea too, but it requires the
41 | distributor of the script to provide an up-to-date checksum at all times,
42 | and you need to be sure that the medium through which you are obtaining the
43 | checksum has not been meddled with.
44 | 
45 | ## Author
46 | 
47 | Awal Garg <awalgarg@gmail.com>, [@awalGarg](https://twitter.com/awalGarg)
48 | 
49 | This repo is released under WTFPL.
50 | 
51 | [1]: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
52 | [2]: https://joeyh.name/code/moreutils/
53 | [3]: https://github.com/jbenet/hashpipe
54 | 


--------------------------------------------------------------------------------
/tap:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | f="$(mktemp)"
 4 | trap "rm '$f'" EXIT # remove temp file at exit
 5 | cat > "$f"
 6 | "${EDITOR:-vim}" "$f" > /dev/tty
 7 | ee="$?"
 8 | if [ "$ee" == "0" ]; then
 9 | 	cat "$f"
10 | else
11 | 	echo "Editor exited with code $ee, and not success exit code" 1>&2
12 | 	exit "$ee"
13 | fi
14 | 


--------------------------------------------------------------------------------